15
Feb
09

Network Segmentation

To paraphrase Supreme Court Justice Potter Stewart, “I know good network segmentation when I see it.”
There doesn’t seem to be a more discussed topic in the PCI compliance space than network segmentation.  Why is this such a discussed topic?  Because there are as many potential solutions as there are network equipment vendors.  So each implementation needs to be assessed on its own individual merits.
Why is network segmentation important?  For most organizations, it can mean the difference from a straightforward, relatively simple PCI assessment or a nightmare.  If an organization’s network is properly segmented and their PCI assets are physically or logically segregated from non-PCI assets, then the scope of a PCI assessment can be reduced.  This can take 50% or more of the organization’s network out of scope.
But what constitutes good network segmentation?  Here are the key concepts that I look for when assessing the segmentation of a network for PCI.

  • How is network traffic controlled?  The key here is the ‘how’.  By controlled, I’m looking for controls that physically or logically isolate PCI in-scope systems from out-of-scope systems.  Those controls can be the use of firewalls, virtual LANs (VLAN), totally separate networks and everything in between.  The most common techniques we see are firewalls or VLANs.  However, you segregate your networks, there needs to be access control lists (ACL), port/service restrictions or other controls put into place to limit and/or restrict access from the in-scope network to the not-in-scope network.
  • How is network traffic monitored?  The key here is usually whether or not the network is monitored.  While good controls are a great start, if you are not monitoring those controls, then anything could be going on and you will not know it until it escalates into a bigger problem.  What I look for is the ability to generate alerts when unauthorized traffic is blocked or detected.
  • What happens when an alert is generated?  If you have controls and monitoring in place, what do you do when an alert occurs is key.  If you do not have an incident response process for an alert, then nine times out of ten, the alert just gets ignored.  Alert response process needs to identify the alert and then have a detailed process of how to diagnose whether the alert is real or a false positive.  Either way, there should be documentation generated that proves the process was followed and the actions taken as a result.
  • Who has access to these network devices?  Finally, what you have done to limit access to the network devices is the last key item to be considered.  The first three considerations are moot if anyone can go in and make changes to these devices.  So, the final area I look for is how access to these devices is controlled and how access is monitored.

While these are the key concepts I look for, there are nuances in each area that bring in other considerations.  So, here are your starting points for network segmentation.

About these ads

4 Responses to “Network Segmentation”


  1. June 9, 2009 at 3:32 AM

    The network segmentation aims to create a trust boundary between payment systems and non-payment systems. What if this is done at a non-network level, e.g. with encryption, where non-payments systems cannot get hold of the decryption keys unless they compromise the thing doing the encryption, in which case the game is up, much like if the firewall is compromised in the network segregation example.

    For e.g. if there is a DB doing DB-level encryption of data, with a per-DB encryption key, using public-private pairs managed by an Active Directory domain. A compromise of one server will not reveal the data unless the DB is also compromised, which will mean the machine will need to be compromised at an administrator level, and even then that compromise will not allow the other DB’s to be owned unless the domain admin account is compromised. Thus, there is a ‘trust boundary’ between payment systems and connected systems. Would that count as descoping?

    Thanks,
    Johnson

    • June 10, 2009 at 5:51 PM

      Encryption such as with a VPN is also a form of network segmentation. Another possible solution is Kerberos which can create encrypted communications between devices and processes if properly configured.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Announcements

FishNet Security is looking for experienced QSAs for their PCI practice. If you are an experienced QSA and are looking for a change, go to the Web site (http://www.fishnetsecurity.com/company/careers), search for 'PCI' and apply.

If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response to too "sales-ee", I reserve the right to edit or not even authorize the response.

Calendar

February 2009
M T W T F S S
    Mar »
 1
2345678
9101112131415
16171819202122
232425262728  

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 915 other followers


Follow

Get every new post delivered to your Inbox.

Join 915 other followers

%d bloggers like this: